HCSEC-2023-23 - Vault Enterprise Namespace Creation May Lead to Denial of Service

Bulletin ID: HCSEC-2023-23
Affected Products / Versions: Vault Enterprise versions 1.14.0, 1.13.4, and 1.12.8; fixed in 1.14.1, 1.13.5, and 1.12.9.
Publication Date: July 27, 2023

An unhandled error in Vault Enterprise’s namespace creation may cause the Vault process to crash, potentially resulting in denial of service. This vulnerability, CVE-2023-3774, is fixed in Vault Enterprise 1.14.1, 1.13.5, and 1.12.9.

Namespaces are a Vault Enterprise feature that provides isolated environments, with separate login paths and data isolated to each namespace.

During internal testing, it was discovered that under very rare circumstances, Vault Enterprise namespace creation may result in an unhandled error, causing the Vault process to crash.

In order to trigger this bug, an authenticated user requires the permissions to create a namespace. This operation is generally reserved for privileged operators with read/update permissions to the sys/namespaces path.

Customers should evaluate the risk associated with this issue and consider upgrading to Vault Enterprise 1.14.1, 1.13.5, and 1.12.9 or newer. Please refer to Upgrading Vault for general guidance and version-specific upgrade notes.

This issue was identified by the Vault engineering team.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.